SB20241015194 - Multiple vulnerabilities in Oracle VM VirtualBox

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2024-21253)

The vulnerability allows a local privileged user to perform service disruption.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to perform service disruption.

2) Improper Authorization (CVE-ID: CVE-2024-21248)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper authorization within the implementation of Shared Folders. A local user can execute arbitrary code in the context of the current user on the host system.

3) Memory leak (CVE-ID: CVE-2024-21273)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due memory leak within the BusLogic module. A local user can gain access to sensitive information.

4) Improper input validation (CVE-ID: CVE-2024-21263)

The vulnerability allows a local authenticated user to access sensitive information or perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to access sensitive information or perform a denial of service (DoS) attack.

5) Heap-based buffer overflow (CVE-ID: CVE-2024-21259)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the implementation of the virtual TPM device. A local user can trigger a heap-based buffer overflow and execute arbitrary code in the context of the hypervisor.

Remediation

Install update from vendor's website.

References

• https://www.oracle.com/security-alerts/cpuoct2024.html?151